Microsoft subsidiary GitHub will warn programmers about vulnerable dependencies at every pull request, the source code sharing hub announced at its GitHub Universe conference Tuesday.
Modern software is typically a patchwork of third-party and newly written code. That third-party code is often dependent on even more third-party code. It can take a while for every link in a chain to even notice a problem, let alone repair it.
GitHub's new offering merges the existing dependency graph and notifications about vulnerabilities within dependencies into an advance warning that a problem may already exist.
"The longest delay when it comes to mitigating vulnerabilities is discovering vulnerabilities," Maya Kaczorowski, senior director of product management at GitHub, told SC Media. "It was great for us to be helping you after the fact, but a lot of our focus now is shifting left — letting developers detect vulnerabilities earlier on."
Kaczorowski notes that in GitHub's experience, slight automation changes have had real effects on the speed at which problems are noticed and fixed. She hopes that will happen again here.
Vulnerabilities in dependencies is a long held, industry-wide problem.
"More of the code in software is assembled than written from scratch today," said Chris Wysopal, co-founder and chief technology officer of the software vulnerability scanning service Veracode. "Veracode finds over 70 percent of applications come from open source packages. This means risk is shifting more toward dependencies, and developers need a quick and easy way of determining if they are using a vulnerable component. There is no better place to do this detection than in the developers’ workflow, where they have the ability to easily fix the problem."